Imagine your therapist's confidential notes – your most private fears and vulnerabilities – being published online for anyone to see. For 33,000 people in Finland, this nightmare became a terrifying reality in 2020, in a data breach with profound and deadly consequences.
The Day the Emails Arrived
For Tiina Parikka, the horror began with a casually checked email on a Saturday in October 2020. The message, which opened with her name and social security number, was chillingly polite. It informed her that as a user of Vastaamo's therapy services, she must pay €200 in bitcoin within 24 hours to keep her personal information safe. Failure to pay would see her detailed therapy session transcripts published online.
"My heart was pounding. It was really difficult to breathe," Parikka recalls. "It felt like a public rape." She had confided years of intimate struggles, from the trauma of raising disabled children to the collapse of her marriage. Now, a hacker threatened to expose it all.
Parikka was not alone. Identical ransom demands flooded the inboxes of tens of thousands across Finland. The victims, by the very nature of seeking therapy, were often vulnerable. The scale was unprecedented in a nation of just 5.6 million people.
A Catastrophic Failure of Security
Vastaamo had been a Finnish success story – a digital platform founded in 2008 to make psychotherapy accessible. By 2018, it employed over 220 therapists. However, its digital defences were shockingly inadequate.
Security expert Antti Kurittu, hired after the hack, found the patient database was accessible via the internet with no firewall and a blank password. "It was definitely unfit for purpose," he stated. The hacker, it seemed, had simply stumbled upon an unlocked vault of deeply sensitive data.
Before the mass emails, someone using the handle "ransom_man" had begun posting patient records on dark web forums. 100 records were leaked daily, featuring politicians, police officers, and children, with notes detailing adultery, suicide attempts, and sexual violence. The posts were signed off with a taunting: "Enjoy!"
Tragically, the damage was already done. Before the ransom emails were even sent, the hacker had accidentally uploaded a file containing every single patient record from Vastaamo's database – 33,000 lives laid bare.
The Hunt for 'Ransom Man'
The investigation led to a familiar name in cybercrime circles: Aleksanteri Kivimäki, then 25. Known online as 'zeekill', Kivimäki had a long history of hacking and harassment dating back to his mid-teens. He had previously been convicted for over 50,000 data breaches but received a suspended sentence in 2015, after which he brazenly updated his Twitter bio to "untouchable hacker god".
Evidence against him was substantial. The hacker's accidental file upload included a home folder with clues. Police traced a bitcoin payment to Kivimäki's bank account. The server used to leak data was paid for with his credit card. Crucially, searches on the patient database for his own address and family members' names were linked to his IP address in London, where he was living at the time.
After an international manhunt, Kivimäki was arrested in a Paris suburb in February 2023. In April 2024, after a landmark trial broadcast to victims in public cinemas, he was found guilty on all charges, including 9,600 counts of aggravated invasion of privacy and over 21,300 counts of attempted extortion. He was sentenced to six years and three months in prison, a sentence he is currently appealing.
Lasting Scars and Unanswered Questions
The human cost is incalculable. Lawyers linked at least two suicides directly to the hack. For victim Meri-Tuuli Auer, the violation triggered a deep spiral. "I closed myself in at home, I didn't want anyone to see me," she said. The sense of exposure is permanent; copies of the database still circulate online.
In a prison interview, Kivimäki showed no remorse, claiming he was a scapegoat. When asked about victims taking their own lives, he callously replied, "These are nameless, faceless people."
Vastaamo declared bankrupt in 2021. Its CEO, Ville Tapio, was initially convicted of criminal negligence, though this was later overturned. A civil case for damages against Kivimäki proceeds, but he claims to have no assets. The Finnish government is providing modest compensation, but it is largely symbolic.
The case exposes a grim digital truth. As Kivimäki himself cynically noted, our darkest secrets increasingly reside in corporate databases. The Vastaamo hack stands as a stark warning: in an age of unparalleled connectivity, the human need for confidential help is perilously at odds with the fragility of digital security.
